LabMD CEO to Appeal FTC Ruling That Company Is Liable for Unfair Data Security Practices
The head of medical testing company LabMD said he will appeal the FTC's ruling released Friday that found his company liable for unfair data security practices. Almost five months after oral argument (see 1603080005), the commission voted 3-0 to issue the opinion, which overturned a decision by its own in-house judge, who dismissed the case against the company in November. Chairwoman Edith Ramirez, who wrote the opinion, concluded the administrative law judge (ALJ) applied the wrong legal standard for unfairness.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Attorneys and several observers said they weren't surprised by the ruling, which some called significant. “Nothing about this case surprises me,” said attorney Craig Newman, who chairs Patterson Belknap's privacy and data security practice, in an email. “From the get go, LabMD hasn’t been a typical enforcement proceeding with accusations made about the reliability of the evidence and truthfulness of the witnesses.”
Michael Daugherty, who is CEO and sole employee of LabMD, which no longer tests specimens, said he's unsure when he will file an appeal, but has 60 days to do so. He said he expected the FTC to rule this way all along. "Really, I’m OK with this," he said in an interview. "I knew this was coming." He said he's looking forward to his case being heard in a federal, not administrative, court. The FTC "overturned [the ALJ decision] on hearsay but the beautiful thing is now we go to an Article III court where they don’t have the power of hearsay," he said. "They have to prove things. They don’t have proof."
Almost three years ago, the commission filed a formal complaint against the company, alleging it failed to take proper and reasonable security measures on its computer networks and exposed personal data of about 10,000 patients (see 1509160051). In one incident, online security firm Tiversa found a file through peer-to-peer file-sharing network LimeWire in 2008. That file contained 1,718 pages of sensitive personal information -- names, birth dates, Social Security numbers, medical and lab test codes, insurance company names, addresses and policy numbers -- for about 9,300 consumers. (It's referred to as the "1718 file" in the case.) In the second incident, the Sacramento Police Department in 2012 was searching the home of utility billing theft suspects when it found 40 company documents with the names and Social Security numbers of 600 people and copied checks of names, addresses and bank numbers of nine people.
Daugherty and his lawyers have said that Tiversa and its CEO Robert Boback tried to extort money from LabMD, and the FTC opinion said it agreed with the ALJ that Boback's testimony "was not credible or reliable." But the commission rejected LabMD's argument that all Tiversa-related evidence that the FTC lawyers obtained should have been excluded from the record "and thus that the entire case should have been dismissed," said the FTC opinion.
Ramirez wrote that ALJ Michael Chappell's Nov. 13 decision "applied the wrong legal standard for unfairness." Chappell said in his opinion FTC lawyers failed to prove LabMD's "alleged failure to employ reasonable data security constitutes an unfair trade practice" because they "failed to prove the first prong of the three-part test -- that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers." He said FTC lawyers proved the "possibility" of harm, not its "likelihood."
Ramirez wrote that Congress has authorized the FTC to address injuries "not yet manifested." She said the commission looks at the probability that an injury will occur and its magnitude if it does occur. “Thus, a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low,” she wrote. “As is the case for analysis of unfairness generally, this evaluation does not require precise quantification. What is important is obtaining an overall understanding of the level of risk and harm to which consumers are exposed.”
Perkins Coie attorney Janis Kestenbaum, former senior legal adviser to Ramirez at the FTC, said in an interview this is a significant opinion legally because the commission said the near release or exposure of sensitive health information is a privacy harm "even if there's no evidence of fallout" that results in a tangible economic or physical injury. "Haven’t seen that before at least not in that unequivocal language," she said. Second, she said the commission rejected the ALJ's reading that an unfair act or practice must cause substantial injury or be likely to cause it, which means "the harm is not merely possible but probable, more than 50 percent likelihood." She said the commissioners essentially said, "No, it can't be quantified. It's just a significant risk of harm."
"In the commission’s mind, they weren’t doing anything new or different," said Kestenbaum. "I think in their mind this is a standard that they’ve always been applying in the many data security cases that they’ve brought that almost always have resulted in settlements. But ... I think it is new. It is significant." Yet there's a lot of uncertainty in what this means and what is exactly a significant risk of injury, she added.
Newman said in his email “the crux of the Commission’s decision is that the exposure of sensitive information -- without evidence of misuse, compromise or actual harm -- is sufficient to cause a substantial consumer injury in this case under Section 5 of the FTC Act. In a broader sense, the entire question of consumer injury has been the issue du jour in civil cases filed against organizations that suffered data breaches. While regulatory enforcement proceedings like LabMD are different in several important respects, it nonetheless highlights the fact that the extent of consumer harm remains an important issue in data security matters.”
In the opinion, Ramirez also said the commission found the company's security practices were "unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system." For instance, she said LabMD didn't use an intrusion detection system or monitor traffic across its firewalls, provided virtually no data security training for employees and didn't delete consumer data it collected. Newman said, overall, the FTC has delivered a "sharp message" about its expectations for data security and its "focus on an organization’s overall data security plan including safeguards for intrusion detection, employee training, computer access and general cyber hygiene.”
Kestenbaum also said commissioners' unanimity is significant. "There was no split at all by the three commissioners not even in part. I don’t think that was a foregone conclusion," she said. There have been other commission opinions, she said, with a split or partial split primarily coming from Commissioner Maureen Ohlhausen, the lone Republican.
TechFreedom President Berin Szoka said he wasn't surprised by the ruling either. Besides sidestepping the "the very embarrassing issue" of Tiversa's "shakedown," the commission said it "can make their case without any actual proof that the [1718] file was every actually exposed," he said. "They’re essentially saying well we know unreasonable data security when we see it and there were things that were not done here so we decide that was unreasonable." But he said the FTC would have had a stronger case if it had pointed to someone who was actually able to access that file.
"The problem here is the agency making its analysis increasingly attenuated from anything that’s really substantial and the problem with that is the further down that road you go the less limit there is on the agency’s discretion," Szoka added.